Showing 9 of 530 Publications in Financial Regulation & Corporate Governance

Open Banking Goes to Washington: Lessons from the EU on Data-Sharing Regimes

ICLE Issue Brief Abstract Once the jurisdiction that most clearly embraced a market-led approach to open banking, the United States appears on the verge of shifting to a . . .


Once the jurisdiction that most clearly embraced a market-led approach to open banking, the United States appears on the verge of shifting to a regulator-driven regime, with mandated sharing of financial data. More specifically, the U.S. Consumer Financial Protection Bureau (CFPB), relying on Section 1033 of the Dodd-Frank Act, recently proposed rules governing “personal financial data rights.” The rulemaking appears to follow the lead of the European Union (EU), which has long been at the forefront of government-led open banking. This paper seeks to analyze the CFPB proposal through the prism of the EU experience. A review of the EU’s regulatory framework, and particularly its implementation in the United Kingdom, may offer useful insights about the challenging tradeoffs posed by open banking, and thus permit an assessment of whether the CFPB proposal would add value, or simply represent an unnecessary regulatory burden

I. Introduction

Following instructions laid out by President Joe Biden in his 2021 executive order on “Promoting Competition in the American Economy,”[1] the U.S. Consumer Financial Protection Bureau (CFPB) in October 2023 promulgated a “Personal Financial Data Rights” rulemaking to facilitate the portability of consumer banking and financial data.[2] The proposal would activate a to-date dormant provision of Section 1033 (the Consumer Financial Protection Act) of the Wall Street Reform and Consumer Protection Act of 2010 that was intended to accelerate a shift toward so-called “open banking.”[3] Open banking—a term that, in the United States, is frequently used to encompass “open finance” more broadly—refers to a financial-services environment built on interoperability and data-driven services that allows customers to leverage their transaction and financial data, and imposes on financial institutions a duty to share such data, on customers’ request, with third-party providers (TPPs).

Under open banking, financial institutions’ customers gain effective control of their data, as well as the opportunity to benefit from more competitive services enabled by the application of technological innovation to banking and finance (“fintech”). Given access to, and the ability to process, large troves of data (including nonfinancial data—e.g., digital footprints), fintech-enabled products can serve to promote financial inclusion, mitigate consumers’ unwillingness or inability to switch among firms, and help financial consumers to make informed choices and to shop around for the most convenient deals.[4] Open banking is therefore broadly expected to generate substantial benefits for businesses, consumers, and the economy as a whole.

Alongside those opportunities, however, financial innovation also poses several new concerns about consumer protection. Notably, the systematic digitization of financial transactions introduces potential for discrimination, manipulation, and exploitation of vulnerable customers.[5] Considering both consumers’ generally low levels of digital and financial literacy, and the opaque nature of algorithmic decisionmaking, they could be forced to make exceedingly complex choices among tradeoffs, and may be exposed to novel privacy and security risks. Even in cases of truly informed consent, the consumer-welfare impact of the enhanced fintech competition enabled by data sharing could be ambiguous.[6] Further, the emergence of new participants in the delivery of banking and financial services may negatively affect both competition and the financial system’s stability.

For all these reasons, designing a regulatory framework fit for purpose requires sensitive policy decisions about common standards for customer data and technical interfaces; solutions to allow customers to manage data permissions; eligibility rules and requirements for third parties seeking access to data; and the role of data aggregators.

The EU and UK have been at the forefront of the open-banking movement, having inspired other countries to follow their direction (e.g., Australia, Brazil, India, Mexico, Singapore). Those two jurisdictions are also currently evaluating proposals to extend their open-banking regulatory frameworks to “open finance” more broadly. A comparative analysis of the approaches adopted and models developed the EU and UK would therefore aid U.S. policymakers looking to strike the proper balance in the promises and perils of open banking.[7] Among the notable lessons to draw from the EU and UK experience include how those jurisdictions have sought to adopt a harmonized application programming interface (API) standard; to facilitate data access and create incentives to develop high-quality APIs; to define a regulatory framework for access to financial-information data; and whether to make banking and financial data available to nonfinancial companies (in particular, to so-called “Big Tech” platforms).

By taking stock of the EU experience and focusing on those provisions most relevant to innovation and competition, this paper aims to assess the CFPB’s proposal by investigating open banking’s challenging tradeoffs, identifying key features for its effective functioning, and providing policy suggestions for the forthcoming U.S. implementation.

The paper is structured as follows: Section II illustrates the economic rationale and challenges of regulatory-driven open-banking processes. Section III provides an overview of the  EU and UK frameworks, while also analyzing recent proposals to facilitate open finance. Section IV analyzes the U.S. proposal, drawing attention to relevant differences from the EU context. Section V concludes.

II. The Open Banking Conundrum: Rationale, Goals, and Challenges

Legislative initiatives to promote open banking belong to a more general wave of regulatory interventions intended to empower individuals with more control over data and to thereby unlock competition and innovation in both new and traditional markets.

The details vary from jurisdiction to jurisdiction and sector to sector, but data-sharing obligations generally include both data portability and interoperability. The former describes the ability to port from one platform to another any bulk data created through an individual’s use of a particular service. Data portability does not require systemic use of APIs, as it is accomplished via a one-time transfer at a specified point in time.[8] In contrast, open banking involves the creation of an in situ data right; i.e., rather than moving data among platforms, users are permitted to use their data within a given platform ecosystem and determine when and under what conditions third parties can access that in situ data.[9] Therefore, it represents a form of interoperability and, more specifically, belongs to the subcategory of data interoperability. Data interoperability refers to the ability to share and access data on a continuous and real-time basis, usually through APIs.[10]

Because market dynamics are shaped by consumer behavior, open-banking advocates assert that enhancing consumer engagement can play a crucial role in fostering effective competition. The fundamental policy objective of such data-sharing regulatory initiatives is to lower switching costs and avoid personal data lock-in by allowing consumers to switch smoothly or multi-home across platforms. In the case of open banking, this consumer empowerment is believed to strengthen their bargaining position with respect to banks. By gaining effective control of their own transaction data and allowing select TPPs to access such data, it is believed that consumers would be able to make informed choices among various banking and financial products and, with the help of data-driven tools, that they could receive personalized suggestions with the help of big-data analytics applied to their own economic behavior.

In summary, the goal of open banking is to increase competition, spur innovation, and make the market more contestable through data sharing. This is well-illustrated by the UK experience where, as we will see (infra Section III.C), the antitrust authority put forward data-sharing requirements as a regulatory remedy after a market investigation of the retail and business-banking sectors found weak competitive dynamics, including a high degree of market concentration and an extremely low switching rate.[11] UK authorities have even sought to measure the “loyalty penalty” that longstanding customers tend to pay for their inertia, estimating average annual gains they could realize from switching.[12]

Some open-banking proponents therefore seek to justify regulatory intervention on traditional market-failure grounds, noting that the banking sector in many countries suffers chronic deficiencies in its competitive dynamics. Without a legislative obligation to share date, banks may have valid reasons to decline access to or withhold sensitive information from TPPs, due to concerns about intellectual property, security, potential reputational risks, and liability issues.[13]

Nonetheless, it should also be noted that “open banking” does exist even where there is no regulatory mandate to share data. Indeed, even where banks are unwilling to collaborate with TPPs, third parties may gain access to customers’ accounts via screen scraping.[14] Screen scraping happens when consumers share their credentials with TPPs, who in turn impersonate the consumer, leaving them without control regarding what data is collected and how it is used and disclosed. The practice is known to increase the risks of inaccuracies, fraud, and data breaches. Indeed, the prevalence of screen-scraping practices may provide additional justification for open-banking regulations, as they represent a risky data-collection practice inconsistent with cyber-security best practices.

These concerns are further heightened by the fact that screen scraping allows TPPs access to all consumer data, rather than only those needed to provide payment and financial services. Therefore, open-banking proposals have also been advanced to guarantee consumer protection by providing a secure framework and ensuring a shift from screen scraping to developer interfaces (usually, credential-free APIs maintained by data providers or their service providers) as the most common means to access consumer data.[15] This would, it is argued, further enhance consumer trust in data sharing.

While there is consensus that developer interfaces should supplant screen scraping, significant disagreements have emerged around API standardization. Advocates particularly disagree about whether policymakers should mandate adoption of a common API standard or embrace a market-led approach that would leave banks free to develop their own interfaces or participate in privately led standardization initiatives.[16]

On the one hand, a common API standard could jeopardize dynamic competition among standards and undermine market incentives to innovate and develop high-quality interfaces. On the other hand, fragmented API standards could exacerbate the costs of interoperability, which in turn could translate into higher barriers for new entrants.[17] The unintended consequences that may arise from the absence of standardization are arguably worsened by conflicting interests among market participants—notably the lack of incentives for banks to grant access to TPPs.

Moreover, doubts have been expressed about how effective mandatory data sharing actually is in promoting competition. Growing concerns have emerged about financial-stability and monetary-policy risks generated by the entry of new players into the banking and financial-services industries.[18] Indeed, while open-banking regulations were intended primarily to create opportunities for fintech startups, whose services are otherwise constrained by lack of access to customer transaction data, the data-sharing obligations imposed on banks also tend to benefit unregulated financial-services players.

Notably, data-access rules have favored the entry of “Big Tech” firms, which initially entered the finance sector through payment services, but have swiftly diversified their offerings to include credit, insurance, and savings and investment products. While it remains unclear whether fintech startups will be able to compete effectively with legacy banks, rather than cooperate with them by providing complementary services,[19] Big Tech may represent a significant competitive threat to banks. The large tech platforms may be able to scale up quickly in financial markets by exploiting proprietary datasets derived from their non-financial operations (as well as analytical skills and advanced technologies) in order to provide consumers with personalized offers.[20] In this regard, from a competitive standpoint, there have also been questions about the asymmetric nature of data-sharing provisions that, in contrast with the goal of ensuring a level informational playing field, impose on banks a duty to grant access to TPPs without including a reciprocal obligation on the latter that would equally allow banks to enhance digital services.[21]

Further shortcomings and perils are associated with the role played by data aggregators (also known as API aggregators or API hubs). Emerging in response to the multiplicity of bank APIs available on the market, data aggregators act as intermediaries between banks and TPPs by integrating various APIs to offer a single implementation point for TPPs. From a technical perspective, data aggregators bring enhancements to the open-finance ecosystem. Indeed, providing a standardized API—irrespective of the specific APIs or services integrated—allows TPPs to seamlessly connect with various APIs without the need to handle the configuration and formatting intricacies of data and interfaces.

Data aggregators, however, also pose risks of market dominance.[22] Notably, due to their advantageous scale and extensive access to consumer financial data, the market might favor only a handful of major players. In other words, especially in a highly fragmented financial-services market, such as the United States, data aggregators may attract a critical mass of API-software developers that benefit from the same data-accumulation economics that may favor industry concentration and the entrenched dominant position of some Big Tech firms (i.e., strong economies of scale, scope, and network effects).[23] In addition, the API connection service delivered by aggregators can be viewed as a factor contributing to inefficiency, as it elongates transaction chains and introduces costs due to the fact that it is provided against compensation.

By and large, open banking’s rationale, aims, and tradeoffs suggest that one size does not fit all. Therefore, jurisdictions evaluating policy interventions to facilitate data sharing in banking and finance should adopt a tailored approach, taking stock of other countries’ experiences to carefully assess the benefits and drawbacks of market-led and regulatory-led regimes, respectively.

III. The EU Regulatory Framework and Its UK Implementation

From a regulatory perspective, the EU led the way in open banking by introducing a sector-specific data-access right in 2015. The jurisdiction is now on the verge of further extending its legal framework to embrace open finance. While based on the same framework, the UK adopted a different technological model for standardizing data-sharing interactions between banks and TPPs, which has become noteworthy as one of the most advanced examples of mandated interoperability. Further, the EU’s ongoing review of its regulatory regime may offer some useful insights about both the successes and shortcomings of open banking, as well as how it compares to the UK regime.

The EU and UK therefore represent useful benchmarks for U.S. policymakers interested in incorporating the lessons learned from those experiences. Recent proposals in both the EU and UK to go beyond payment-account data in order to promote access to financial data could be equally relevant to the United States, as the CFPB’s rulemaking aims to facilitate a form of open finance.

A. PSD2 and Its Reform

The EU’s 2015 Directive on Payment Services (PSD2) introduced the access-to-account rule (XS2A rule), which requires account-servicing payment-service providers (ASPSPs) to share, upon user request, real-time data on customers’ accounts with TPPs—both payment-initiation service providers (PISPs) and account-information service providers (AISPs)[24]—as well as to execute payment orders.[25] PSD2 enables access without need for a contractual relationship between the ASPSPs and TPPs, and thus without compensation.

While open banking existed in the EU prior to PSD2, the directive’s aim was to provide a secure regulatory framework. Previously, TPPs operated in a largely unregulated environment and accessed customers’ accounts primarily by screen scraping.[26]

Under PSD2, data access is facilitated either through APIs, or by granting TPPs direct access to payment data using the interface that banks employ for customer interactions (customer-facing interface). In order to safeguard business continuity for TPPs, PSD2 requires ASPSPs that opt for a dedicated interface (PSD2 API) to also provide an alternative interface to TPPs (a fallback interface) in the event of malfunction or other issues with the dedicated interface. To facilitate the objective of promoting competition and innovation, PSD2 and its implementing regulatory technical standards (RTSs) chose not to impose a unique API standard; nearly 10 years later, there is still no single pan-European open-banking API standard.

A recent evaluation report concluded that PSD2 has been successful in reducing fraud via the introduction of strong customer authentication (SCA), which involves two authentication factors based on either knowledge (e.g., a password), possession (e.g., a card) or inherence (e.g., a fingerprint).[27] The report, however, also found that PSD2 was only somewhat effective in achieving a level playing field, and was a mixed success in the uptake of open banking in the EU.[28] Indeed, there have been recurrent issues as regards TPPs lacking effective and efficient access to data held by ASPSPs, with a particular imbalance between bank and nonbank service providers.[29]

Notably, the review found that neither ASPSPs nor TPPs are fully satisfied with the current situation.[30] The latter regularly complain about the performance of data-access interfaces, reporting that they experience difficulties in providing basic services due to inadequate and low-quality PSD2 APIs.[31] TPPs also note that, as API standards are set by the industry, this fragmentation leaves them in the disadvantageous position of bearing the costs of developing separate solutions to access different banks’ APIs.[32]

For their part, ASPSPs also express dissatisfaction, reporting significant implementation costs to develop APIs, as well as objections that PSD2 precludes them from charging TPPs for access to customer data.[33] In other words, banks perceive open banking purely as a regulatory burden, and argue that the free access does not offer incentives to create the best possible APIs.[34] Banks are similarly dissatisfied with the low use of their APIs, raising complaints that API aggregators pass on user data to unregulated third parties.[35]

Despite these findings on the imperfect functioning of open banking in the EU, the European Commission has chosen not to pursue radical changes.[36]

With regard to TPPs’ complaints, while acknowledging that a different solution might offer better access to data, the Commission’s proposed amendments to PSD2 do not include imposing a fully standardized EU data-access interface, on belief that the costs of introducing a new single API standard would outweigh the benefits.[37] Indeed, the Commission notes that, despite the existence of different API standards in the EU, the existing PSD2 API standards have substantially converged over time toward two primary solutions (i.e., the Berlin Group standard and the STET standard).[38] In addition, even if not envisaged by PSD2, the emergence of API aggregators that offer a paid alternative to a PSD2 API standard has lowered frictions arising from fragmented API standards.[39]

Nonetheless, starting from the premise that screen scraping should be out of bounds,[40] the proposal suggests streamlining the regime by removing the two interface requirements (i.e., a principal interface and a fallback interface) and imposing, as a general rule, mandatory use of APIs designed and dedicated for open-banking purposes to provide data access to TPPs.[41] Moreover, to ensure TPPs’ business continuity and ability to provide high-quality services to clients, the proposal would grant them the right to benefit from “data parity,” with the customer interface provided by ASPSPs to their users.[42]

In the same way, in response to banks’ requests to modify the PSD2 to allow for compensation to facilitate access to data, the proposed amendments would safeguard the current regime (i.e., TPPs benefiting from the PSD2 baseline services without contractual agreement or charging) but would allow contractual relationships to be established, accompanied by compensation for services that go beyond those required by the PSD2.[43] This would allow the development of “premium” APIs to provide transaction information from other types of accounts (e.g., savings accounts) and allow the schedule of recurring payments.[44]

Finally, to increase trust in open banking and empower consumers to be in full control of their data, the proposal would require ASPSPs to make a dashboard available for customers to monitor data access granted to open-banking service providers, and to easily withdraw or re-establish that access.[45]

B. Open Finance Proposal

Alongside proposals to revise PSD2, the European Commission has also delivered a legislative proposal on data access to financial information (FIDA), which would complement the XS2A rule with an obligation to provide access to financial data.[46]

The FIDA proposal builds on the same rationale as PSD2—i.e., promoting competition and innovation in a data-driven ecosystem by entrusting customers of financial institutions (i.e., both consumers and firms) with effective control over their financial data to benefit from financial products and services tailored to their needs.[47] The wording of the aims section of the proposal clearly resembles PSD2. According to the proposal, the lack of personalized financial products hinders the potential for innovation, as it restricts the ability to provide a broader range of choices and financial services to consumers who could otherwise gain advantages from data-driven tools that help them make informed decisions, easily compare offerings, and switch to more favorable products aligning with their preferences based on their data.[48] A particular emphasis is placed on small players, as they are assumed to suffer most from existing barriers to business-data sharing.[49]

In addition, the FIDA proposal adopts the same approach as PSD2 (confirmed by its proposed revision) toward the lack of reciprocity in data-access obligations. As mentioned above, this approach has garnered criticism for being at-odds with the proclaimed goal of leveling the informational playing field. Against the risk of favoring Big Tech firms over financial incumbents and new fintech entrants, the Commission notes that the Digital Markets Act (DMA)[50] would ensure reciprocity in data access between financial-sector firms and large technology companies.[51] Indeed, under the DMA, gatekeeper platforms are required to ensure real-time access to data provided or generated on the platform by business users and consumers in the context of core platform services.

But to safeguard financial stability, market integrity, and consumer protection, the proposal lays down eligibility rules on access to customer data, establishing that the latter can be accessed only by regulated financial institutions or firms authorized as financial-information service providers (FISPs).[52] The provision applies the principle of “same activity, same risks, same rules,” according to which all financial-market participants that carry out the same activity and generate the same risks ought to be subject to the same standards for consumer protection and operational resilience.[53]

In a nutshell, the FIDA initiative is intended to extend the open-banking framework to open finance, and it proceeds from the same customer-centric approach, building on the lessons learned in the PSD2 review.[54] Therefore, while the FIDA proposal includes the same amendments related to data-access permission dashboards for customers,[55] it differs significantly from the proposed revision of PSD2 with regard to envisaged solutions against the risk of a low-quality and fragmented API landscape.

Notably, the FIDA proposal explicitly acknowledges that making data available via high-quality APIs is essential to facilitate seamless and effective access to data. Seeking to safeguard incentives for data holders to invest toward this aim, the proposal declares that is appropriate to allow them to request reasonable compensation from data users.[56] Such a solution would be in line with the principle recently introduced in the Data Act of a contractual data-sharing model.[57] Accordingly, under the FIDA proposal, a data holder may claim compensation only if the customer data is made available to a data user in accordance with the rules and modalities of a financial-data-sharing scheme.[58]

Moreover, as the consultation strongly indicated that the lack of standardization is a major obstacle to data sharing in finance,[59] the FIDA proposal imagines that market participants would be required to jointly develop common standards for customer data and interfaces as part of these financial-data-sharing schemes.[60] The option to empower European supervisory authorities to develop a single EU-wide standard for the entire financial sector was discarded because of its perceived drawbacks, complexity, and overall costs. More specifically, it was considered unlikely that a single standard would satisfy the diverse needs of data users in different segments of the financial-services industry, and that it would be challenging for public authorities to keep pace with technical developments by updating standards in a timely manner.[61]

The explanation proffered for this apparent discrepancy between open banking and open finance in the EU is simply one of path dependence. As open finance is an emerging market that would be regulated for the first time, it has no legacy compensation regime and no investments in APIs already made; therefore, it is believed there would be no risk of disruption.[62]

C. The UK Regime

Building on the same framework as PSD2, the UK opted for a more extensive and invasive implementation of the XS2A rule. Indeed, while PSD2 is technology-agnostic, the UK promoted a standardized model of open banking. Notably, the UK Competition and Markets Authority (CMA) required the nation’s nine largest banks (CMA9) to agree on common and open API standards, data formats, and security protocols that would allow TPPs to connect to customers’ bank accounts according to a single set of specifications.[63] Further, a special-purpose entity, funded by the CMA9, was created to oversee the rollout of API standards and support parties in the use of such standards.

The CMA decided to promulgate this remedy after a review of the retail-banking sector found perceived structural and longstanding competitive weaknesses.[64] In particular, the UK antitrust authority investigated whether there were barriers constraining banks’ ability to enter or expand competition in personal current accounts (PCAs), whether weak customer response was a result of lack of engagement and/or barriers to searching and switching that dampened banks’ incentives to compete, and whether the level of concentration had an adverse effect on customers. The investigation revealed that the market was concentrated and, despite variations among banks in prices and quality, market shares remained stable over time. Indeed, the four largest UK banks accounted for more than 70% of consumers’ primary PCAs and had collectively lost less than 5% market share since 2005.[65] Further, the market study found that a substantial proportion of customers were paying above-average prices for below-average service quality, thus suggesting they would be better off switching products.[66]

Despite these premises, customer engagement was low. The survey reported that more than a third of respondents had been with their primary PCA provider for more than 20 years, over a half for more than 10 years, and only 8% of customers had switched PCAs to a different bank over the past three years.[67] Such results were even more significant when compared to switching rates in other sectors.[68]

Seven years since its introduction, the UK celebrates the success of its open-banking model, claiming significant take-up and accelerating growth. Today, more than 7 million consumers and businesses (of which 750,000 are small to medium-sized enterprises) use open-banking-enabled products and services.[69] The data show that customers show positive sentiment toward open banking, believing they are in better control of their personal finances. Most TPPs likewise find that the API-standardized implementation has been particularly effective.[70] For these reasons, the UK Government has announced the launch of open finance—i.e., its intention to extend its open-banking model beyond payment accounts to a broader range of financial services and products.[71]

The perceived success of the UK version of open banking was confirmed when an identical model was adopted in Australia, where the Australian Competition and Consumer Commission required the four major banks to share product-reference data with accredited data recipients and mandated the adoption of a single set of API standards for data sharing.[72] Australia’s open-banking requirements are part of an ambitious legislative initiative to introduce an economy-wide data-sharing framework, tested initially in banking and energy, and expected to eventually be extended to telecommunications, pensions, insurance, and other areas.

IV. The CFPB’s Rulemaking on ‘Personal Financial Data Rights’

Once the jurisdiction that most clearly embraced a market-led approach to open banking and open finance, the United States appears on the verge of shifting toward the EU’s prescriptive and regulator-driven regime, with mandated sharing of financial data.

In 2021, the White House encouraged the CFPB to intervene in the banking market to “promote competition” consistent with the objectives stipulated in Section 1021 of the Dodd-Frank Act and, in particular, to consider commencing rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer-financial-transaction data.[73] Section 1021 entrusts the CFPB with ensuring that all consumers have access to markets for consumer financial products and services, and that these be “fair, transparent, and competitive.” Section 1033 establishes that, subject to certain exceptions, any person that engages in offering or providing a consumer financial product or service shall make available to a consumer, upon request, information in its control concerning that product or service that the covered person obtained from said consumer. In addition, the CFPB shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine-readable files, to be made available to consumers under this section.

As a consequence of the White House’s 2021 executive order on competition, the CFPB in October 2023 proposed a Personal Financial Data Rights rule to activate the aforementioned provisions enacted by the U.S. Congress more than a decade ago.[74] Notably, in addition to ensuring that consumers can access covered data in electronic form from data providers, the proposed regulation would delineate the scope of data that TPPs can access on a consumer’s behalf, the terms on which data are made available, and the mechanics of data access.

First, the CFPB chose to prioritize certain types of consumer accounts. The scope of the rulemaking includes as covered entities those providing asset accounts subject to the Electronic Fund Transfer Act and Regulation E; credit cards subject to the Truth in Lending Act and Regulation Z; and related payment-facilitation products and services, and, as covered data, transaction information; account balances; information to initiate payment to or from a Regulation E account; terms and conditions; upcoming bill information; and basic account-verification information.[75]

The rulemaking also requires data providers to establish and maintain a developer interface for third parties to access consumer-authorized data under certain performance and security specifications.[76] In particular, the CFPB established that the performance of a developer interface cannot be commercially reasonable unless it has a response rate of at least 99.5 percent within 3.5 seconds. Despite the costs incurred to meet these requirements, the CFPB suggested forbidding data providers from imposing access caps and levying any direct fee for fulfilling a request.[77]

Further, the rulemaking seeks to promote standardization by supporting industry standards appropriately developed within a data-access framework (“qualified industry standard”).[78] Due to concerns about the pace of technological change,[79] rather than dictating technical standards, the CFPB suggested that indicia of compliance with certain provisions must include conformance to an applicable industry standard issued by a fair, open, and inclusive standard-setting body.[80]

A. Absence of Justifications for Regulatory Intervention

The CFPB’s rulemaking builds on Section 1033 of the Dodd-Frank Act. As noted by some scholars, however, Section 1033 is “silent” on the core principles of open banking.[81] Indeed, the provision creating a data-access right for consumers does not expressly impose on financial institutions a duty to share such data with third parties. Therefore, in contrast with the EU PSD2, it is far from clear whether there is a legislative mandate authorizing the CFPB to promote open banking via interoperability obligations. Indeed, the lack of a clear regulatory mandate is arguably what has allowed a market-driven approach to open banking to emerge in the United States over the last 14 years.

More importantly to the present analysis, the U.S. context differs significantly from the EU, raising questions about the justification for regulatory intervention. These doubts involve both the spread of poor technological-data-access solutions and the respective markets’ structural competitive weaknesses. Regarding the former, the CFPB proposal places significant emphasis on screen scraping. CFPB Director Rohit Chopra has described the current regime as “broken,” with consumer access based on a set of unstable and inconsistent norms across market participants and with many companies accessing consumer data through activities like screen scraping.[82] The proposal thus seeks to move the market away from these risky data-collection practices.[83]

But while acknowledging that screen scraping has allowed open banking to grow quickly in the United States,[84] the CFPB also reports that a large and growing number of consumers currently access their financial data through consumer-authorized third parties, and that the share of access attempts made through screen scraping has declined by a third since 2019.[85] According to the CFPB, the recent growth in traffic through credential-free APIs reflects the technology’s adoption by some of the largest data providers, covering tens of millions of covered accounts.[86] The bureau estimates that API use has grown substantially over the last five years, as the annual number of consumer-authorized access attempts approximately doubled from 2019 to 2022.[87] The U.S. market therefore already appears to be moving away from screen scraping and toward the use of APIs.

Moreover, the U.S. banking and financial-services sector is characterized by a large degree of fragmentation. As noted in the literature, such extreme fragmentation is “stark” when compared with the EU and other jurisdictions that have adopted open banking and open finance.[88] In response, U.S. financial institutions have undertaken initiatives to promote API standards, which already include private standard-setting bodies such as the Financial Data Exchange (FDX). The result has been a commingling of financial institutions, data aggregators, fintechs, payment networks, and consumer groups with the objective of “unifying the financial services ecosystem around a common, interoperable and royalty-free technical standard for user-permissioned financial data sharing.”[89]

But such efforts for industry-supported API standards have been controversial.[90] Indeed, an additional peculiar feature of the U.S. financial-services industry is the emergence of a relatively concentrated data-aggregation market, where a handful of players serve the entire sector.[91]

In summary, while the two primary rationales for regulator-driven open banking in other jurisdictions are chronic deficiencies in market contestability and the widespread use of screen scraping, neither of these features are present in the U.S. scenario. Since regulatory intervention is context-dependent and entails complex tradeoffs and sensitive choices (see supra Section II), the absence of these justifications raises doubts about the potential added value of the CFPB’s initiative—specifically, whether any benefits to innovation, competition, and consumer choice will outweigh regulatory costs.

B. Insights from the EU’s Shortcomings

While the marked differences between the U.S. and EU landscapes raise questions about the rationale for a U.S. shift toward regulator-led open banking, a glance at the EU’s recent review of its open-banking regime underscores the degree to which the proposed CFPB framework may represent an unnecessary regulatory burden. In particular, there should be significant doubts about the competitive implications of the proposed rules, and particularly about the degree to which they would serve to ensure quality data-sharing and a level informational playing field.

Indeed, the CFPB’s primary justification for top-down intervention is to outlaw screen scraping, which is unanimously considered worrisome for data privacy, security, and accuracy.[92] The EU FIDA proposal highlights data accuracy as especially key for competition, noting that making data available via high-quality APIs is essential to facilitate effective access.[93] The CFPB proposal likewise assumes that the quality of data provided through open-banking APIs is greater than that collected through screen scraping.

But the recent review of the EU PSD2 noted TPPs’ dissatisfaction with the performance of data-access interfaces.[94] Notably, many TPPs complained that, despite the high costs of implementation, APIs are implemented differently and don’t always work.[95] At the same time, banks complain about the costs of PSD2 compliance, arguing that the mandated free access leaves them no incentive to offer the best possible APIs.[96] Given the significant implementation costs to develop high-quality APIs, the European Commission has supported a proposal to allow data holders to request reasonable compensation from data users.[97] More generally, the EU Data Act affirms that it is desirable to provide remuneration for data under fair, reasonable, and non-discriminatory (FRAND) terms in order to promote investment and safeguard appropriate incentives to develop high-quality interfaces.[98] Such compensation might include not only the costs incurred to make the data available, but also a margin to account for such factors as the volume, format, or nature of the data. By contrast, the CFPB proposal would impose performance specifications for the developer interface while forbidding any fee or charge in connection with establishing the required interface or receiving requests to make covered data available.[99]

Other CFPB provisions are inconsistent with open banking’s procompetitive goal of levelling the informational playing field. Notably, the CFPB replicates the asymmetric treatment imposed on financial institutions by the PSD2 (as well as by the current EU proposals), under which banks and other lenders have a duty to share account data, while no reciprocal obligation is imposed on data recipients. Restricting access and use of data may serve to hinder development of innovative products or services, and a bidirectional access-to-data-account rule in PSD2 could have been used to enhance digital-payment services. A system in which all eligible entities participate would be more dynamic and promote greater competition. Therefore, in principle, there is good reason to establish that accredited data recipients in a designated sector should also be obliged to provide equivalent data in an equivalent format, in response to a consumer request.[100] Further, an unbalanced data-sharing burden risks over-empowering new players (i.e., fintechs, Big Tech, and data aggregators) relative to legacy banks.

In a similar vein, the CFPB’s blanket prohibition on secondary data use could yield further anticompetitive shortcomings by imposing limits on data flows—namely on the use of covered data for targeted advertising and cross-marketing, even when those data are de-identified.[101] Indeed, such restrictions are at odds with core open-banking principles. As open banking is consumer-centric and aims to promote consumer empowerment to spur innovation and competition, it should abandon purely paternalistic approaches focused only on consumers’ vulnerabilities. Instead, open-banking principles inherently endorse a proactive strategy based on consumers’ ability to manage their data and choose which parties should use it to offer new products and services.[102] An outright ban on targeted advertising and cross-marketing instead reduces consumer choices and their opportunities to discover new products and services. By further hindering the level informational playing field, such a prohibition would favor incumbents over newcomers and challengers.

Finally, following the EU, the CFPB would adopt an open-banking regime with mandatory data sharing, but without regulator-supplied technical standards. Similar to EU policymakers—and in contrast with UK and Australian regulators—the CFPB argues that detailed technical standards are too complex and unsuited to the pace of technological change, even though they would be particularly well-suited to the excessively fragmented U.S. market.[103] In supporting the development of common standards through standard-setting organizations, the CFPB’s proposal is similar to the European FIDA proposal, although the latter mandates participation by financial institutions, data holders, and data users in data-sharing schemes. Indeed, under the FIDA proposal, data that falls within the scope of the sharing obligation would only be available to members of a financial-data-sharing scheme.

The concerns about whether such an invasive intervention will be “future proof” are compelling, especially given the size of the U.S. financial market. But a UK-style remedy would at least be effective against the only potential risk of market dominance—that of a small handful of data aggregators emerging as a response to the peculiar fragmentation of the U.S. market. In this regard, there should be doubts about whether it will be effective to entrust standard-setting bodies to develop “qualified” standards within the CFPB’s framework.[104] In particular, it is unclear what value would be added relative to the way that market-led open banking is currently delivered in the United States, as it already includes industry standard-setting initiatives (e.g., FDX). Subjecting standard-setting organizations to CFPB vetting regarding their fairness, openness, and inclusiveness does not seem like a game changer. On the contrary, it appears to be just another unnecessary regulatory burden, apparently unfit to address the purported risks of standards controlled by dominant incumbents or intermediaries, thus “enabl[ing] rent-extraction and cost increases for smaller participants.”[105]

V. Conclusion: Does the CFPB’s Open Banking Fall Short?

Following the EU and the UK, about 80 countries have recently engaged in government-led open-banking initiatives.[106] The United States is on the brink of joining the club. But even without a regulatory framework to mandate data sharing, open banking is already flourishing in the U.S. market. Therefore, it’s important to understand why the country that has been at the forefront of market-driven open banking would shift to a compulsory regime, as well as what model inspired this change.

The EU’s regulator-driven open-banking regime relies on the twofold rationale of promoting fintech competition and safeguarding consumers from screen-scraping practices. But the EU’s background differs significantly from the U.S. scenario. Rather than being highly concentrated, the U.S. market seems paradoxically to suffer from the opposite problem—namely, excessive fragmentation. As a result, the competitive issue that has emerged in the United States is one of market concentration at the intermediary level (i.e., data aggregators), rather than upstream (i.e., banks). Moreover, as the CFPB acknowledges, the U.S. market has already been moving away from screen scraping, as testified by the exponential increase in the number of consumer-authorized access attempts in recent years.

The state of the U.S. open-banking ecosystem also flies in the fact of the traditional market-failure justification for regulatory intervention. In disregarding the peculiar features of the U.S. context, the CFPB’s proposal may miss badly in selecting effective technical solutions. Indeed, by replicating the EU approach, rather than the UK implementation, the CFPB discards the option of imposing  single U.S.-wide standard because of its cost, complexity, and dynamic innovation shortcomings. While these concerns are well-founded, at the very least, an invasive technological solution would address the only potential competitive issue in the U.S. market, which is the role of data aggregators. Moreover, the CFPB ignores some useful insights from the recent review of the EU experience, which recommends allowing incentives to develop high-quality APIs by compensating banks for their efforts.

For all these reasons, there should be significant concerns about whether the CFPB’s initiative is needed and to extent to which such a top-down intervention would add value in the U.S. market.

Despite the ambiguous effects and challenging tradeoffs of open banking, it has been trendy of late and the government-led version has become widespread around the world. It is worth remembering, however, that regulatory models do not work in a vacuum. They are context-dependent and can be more or less effective depending on the particular features of the markets and countries involved. More importantly, regulation is not inherently preferable to market-led solutions. Regulation is just a pill for a disease—ideally, the cure for a market failure. If the latter is missing or is not properly detected, consumers effectively be asked to pay the price for an unneeded dress, however stylish it might be.

[1] Executive Order on Promoting Competition in the American Economy, White House (Jul. 9, 2021),

[2] Required Rulemaking on Personal Financial Data Rights, Docket No. 2023-CFPB-0052, U.S. Consumer Financial Protection Bureau (Oct. 19, 2023),

[3] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, 12 USC 53 (2010), §1033.

[4] See, e.g., Tania Babina, Saleem Bahaj, Greg Buchak, Filippo De Marco, Angus Foulis, Will Gornall, Francesco Mazzola, & Tong Yu, Customer Data Access and Fintech Entry: Early Evidence from Open Banking (NBER Working Paper 32089, Jan. 2024),; Tobias Berg, Valentin Burg, Ana Gombovic, & Manju Puri, On the Rise of Fintechs: Credit Scoring Using Digital Footprints, 33 Rev. Financ. Stud. 2845 (Sep. 12, 2019); Thomas Philippon, On Fintech and Financial Inclusion (NBER Working Paper No. 26330, Sep. 2019),

[5] See, e.g., Access to Finance for Inclusive and Social Entrepreneurship. What Role Can Fintech and Financial Literacy Play? (OECD Local Economic and Employment Development (LEED) Papers, 2022),; Isil Erel & Jack Liebersohn, Can Fintech Reduce Disparities in Access to Finance? Evidence from the Paycheck Protection Program, 146 J. Financ. Econ. 90 (Oct. 2022); Yoke Wang Tok & Dyna Heng, Fintech: Financial Inclusion or Exclusion? (IMF Working Paper No. 80, May 6, 2022),

[6] See, e.g., Zhiguo He, Jing Huang, & Jidong Zhou, Open Banking: Credit Market Competition When Borrowers Own the Data, 147 J. Financ. Econ. 449 (Feb. 2023); Christine A. Parlour, Uday Rajan, & Haoxiang Zhu, When FinTech Competes for Payment Flows, 35 Rev. Financ. Stud. 4985 (Apr. 27, 2022).

[7] For an overview of the international landscape, see Babina et al., supra note 4; Shifting from Open Banking to Open Finance: Results from the 2022 OECD Survey on Data Sharing Frameworks (OECD Business and Finance Policy Papers, 2023),

[8] Daniel Schnurr, Switching and Interoperability Between Data Processing Services in the Proposed Data Act, Centre on Regulation in Europe (Dec. 2022), 11, available at

[9] Bertin Martens, Geoffrey Parker, Georgios Petropoulos, & Marshall van Alstyne, Towards Efficient Information Sharing in Network Markets (Bruegel Working Paper No. 12, Nov. 10, 2021),

[10] On the various degrees of interoperability, see Jacques Cre?mer, Yves-Alexandre de Montjoye, & Heike Schweitzer, Competition Policy for the Digital Era, European Commission Directorate-General for Competition (2019), 58-59,

[11] The Retail Banking Market Investigation Order 2017, UK Competition and Markets Authority (Feb. 2, 2017),

[12] See Oscar Borgogno & Giuseppe Colangelo, Consumer Inertia and Competition-Sensitive Data Governance: The Case of Open Banking, 9 EuCML 143 (2020).

[13] Impact Assessment Accompanying the Proposal for a Directive on Payment Service in the Internal Market, European Commission (Staff Working Document, 288 final, 2013), 137.

[14] Report on the Review of Directive 2015/2366/EU of the European Parliament and of the Council on Payment Services in the Internal Market, European Commission (COM(2023) 365 final), 4.

[15] See, e.g., Screen Scraping – Policy and Regulatory Implications, Australian Government – The Treasury (2023),

[16] For a literature review on the different modes of the standardization process, see Dize Dinçkol, Pinar Ozcan, & Markos Zachariadis, Regulatory Standards and Consequences for Industry Architecture: The Case of UK Open Banking, 52 Res. Policy 104760 (Jul. 2023).

[17] See, e.g., OECD, supra note 7, 32; Press Release, Final Report on the Sector Inquiry into Financial Technologies, Hellenic Competition Commission (Dec. 27, 2022),; Opinion on the Sector of New Technologies Applied to Payment Activities, French Competition Authority (Apr. 29, 2021),

[18] See, e.g., Giulio Cornelli, Fiorella De Fiore, Leonardo Gambacorta, & Cristina Manea, Fintech vs Bank Credit: How Do They React to Monetary Policy?, 234 Econ. Lett. 111475 (Jan. 2024); Karen Croxson, Jon Frost, Leonardo Gambacorta, & Tommaso Valletti, Platform-Based Business Models and Financial Inclusion: Policy Trade-Offs and Approaches, 19 J. Compet. Law Econ. 75 (Mar. 2023); Claudio Borio, Stijn Claessens, & Nikola Tarashev, Entity-Based vs Activity-Based Regulation: A Framework and Applications to Traditional Financial Firms and Big Techs (FSI Occasional Paper No. 19, Aug. 3, 2022),; Johannes Ehrentraud, Jamie Lloyd Evans, Amelie Monteil, & Fernando Restoy, Big Tech Regulation: In Search of a New Framework (FSI Occasional Paper No. 20, Oct. 3, 2022),; Raihan Zamil & Aidan Lawson, Gatekeeping the Gatekeepers: When Big Techs and Fintechs Own Banks – Benefits, Risks and Policy Options (FSI Insights No. 39, Jan. 20, 2022),

[19] See, e.g., Oskar Kowalewski & Pawel Pisany, The Rise of Fintech: A Cross-Country Perspective, 122 Technovation 102642 (Apr. 2023); Emma Li, Mike Qinghao Mao, Hong Feng Zhang, & Hao Zheng, Banks’ Investments in Fintech Ventures, 149 J. Bank. Financ. 106754 (Apr. 2023); Victor Murinde, Efthymios Rizopoulos, & Markos Zachariadis, The Impact of Fintech Revolution on the Future of Banking: Opportunities and Risks, 81 Int. Rev. Financ. Anal. 102103 (May 2022); Arnoud Boot, Peter Hoffmann, Luc Laeven, & Lev Ratnovski, Fintech: What’s Old, What’s New?, 53 J. Financ. Stab. 100836 (Apr. 2021); Luca Enriques & Wolf-Georg Ringe, Bank-Fintech Partnerships, Outsourcing Arrangements and the Case for a Mentorship Regime, 15 Cap. Mark. Law J. 374 (Jul. 31, 2020); Anjan V. Thakor, Fintech and Banking: What Do We Know?, 41 J. Financ. Intermed. 100833 (Jan. 2020); Aluma Zernik, The (Unfulfilled) Fintech Potential, 1 Notre Dame J. Emerging Tech 352 (Oct. 1, 2018); Rene? M. Stulz, FinTech, BigTech, and the Future of Banks, 31 J. Appl. Corp. Finance 86 (Sep. 2019); Xavier Vives, Digital Disruption in Banking, 11 Annu. Rev. Financ. Econ. 243 (Nov. 2019).

[20] For analysis of the debate on competitive opportunities and concerns coming from Big Tech’s entry into banking and financial markets, see Oscar Borgogno & Giuseppe Colangelo, The Data Sharing Paradox: BigTechs in Finance, 16 Eur. Compet. J. 492 (May 28, 2020).

[21] Miguel de la Mano & Jorge Padilla, Big Tech Banking, 14 J. Compet. Law Econ. 494, 503 (Dec. 4, 2018).

[22] Open Finance Policy Considerations (OECD Business and Finance Policy Papers, 2023), 30-31,

[23] See Dan Awrey & Joshua Macey, The Promise and Perils of Open Finance, 40 Yale J. on Reg. 1 (Feb. 28, 2022); Julian Alcazar & Fumiko Hayashi, Data Aggregators: The Connective Tissue for Open Banking, Fed. Res. Bank Kansas City (Aug. 24, 2022),

[24] Account-information services and payment-initiation services are those that allow a payment-service provider access to a payment-service user’s data data where the provider neither holds the user’s account funds nor does it directly service his or her payment account. Account-information services allow for the aggregation in a single location of user data held by multiple account-servicing payment-service providers; payment-initiation services allow a payment to be initiated from a user’s account in a way that is convenient for both user and payee and without need for a payment instrument, such as a payment card.

[25] Directive 2015/2366 on Payment Services in the Internal Market, (2015) OJ L 337/35, Articles 64-68. For analysis of the XS2A rule, see Oscar Borgogno & Giuseppe Colangelo, Data, Innovation and Competition in Finance: The Case of the Access to Account Rule, 31 Eur. Bus. Law Rev. 573 (Apr. 15, 2019).

[26] European Commission, supra note 14, 4.

[27] Id., 3.

[28] Id.

[29] Id., 4.

[30] European Commission, supra note 13, 16.

[31] Id., 13-14.

[32] Id., 120.

[33] Id., 15.

[34] Id.

[35] Id.

[36] The legislative amendments to PSD2 are set out in two proposals that would separate the rules governing payment services’ conduct from rules on authorization and supervision of payment institutions. On the former, see, Proposal for a Regulation on Payment Services in the Internal Market and Amending Regulation (EU) No 1093/2010, European Commission, COM(2023) 367 final; on the latter, see, Proposal for a Directive on Payment Services and Electronic Money Services in the Internal Market Amending Directive 98/26/EC and Repealing Directives 2015/2366/EU and 2009/110/EC, European Commission, COM(2023) 366 final.

[37] European Commission, supra note 14, 4-5. See also European Commission, supra note 13, 42-43, stating that “[r]equiring a new standard would render the work done on all existing standards wasted. More fundamentally, imposing a single standard would mean abandoning the principle of technology neutrality and could risk being inflexible, not future-proof and hinder innovation, since new better standards for interfaces may arise in future.”

[38] European Commission, supra note 14, 4-5, reporting that the Berlin Group standard claims to account for 80% of the PSD2 APIs.

[39] Id.

[40] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 61.

[41] Id., Recital 57. Exemptions are allowed for cases of failure/unavailability of the dedicated interfaces and small ASPSPs for which a dedicated interface would be disproportionately burdensome (Recital 62).

[42] Id., Recital 59.

[43] Id., Recital 56.

[44] In a similar vein, see, Principles for Commercial Frameworks for Premium APIs, UK Joint Regulatory Oversight Committee (2023), available at

[45] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 65.

[46] Proposal for a Regulation on a Framework for Financial Data Access and Amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554, European Commission, COM(2023) 360 final. In particular, the access provision would apply to the following selected categories of customer data: mortgage-credit agreements, loans, and accounts; savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate, and other related financial assets, as well as the economic benefits derived from such assets; pension rights in occupational-pension schemes; pension rights on the provision of pan-European personal-pension products; non-life insurance products; data which forms part of a firm’s creditworthiness assessment and that is collected as part of a loan-application process or a request for a credit rating.

[47] Id., Recital 2.

[48] Id., Recital 6.

[49] Id.

[50] Regulation (EU) 2022/1925 on Contestable and Fair Markets in the Digital Sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), (2022) OJ L 265/1.

[51] Impact Assessment Report accompanying the Proposal for a Regulation on a Framework for Financial Data Access, European Commission, SWD(2023) 224 final, 113.

[52] European Commission, supra note 46, Recital 31.

[53] Report on Open Finance, Expert Group on European Financial Data Space (2022), 35,

[54] European Commission, supra note 46, Recital 49.

[55] Id., Recital 21.

[56] Id., Recitals 7 and 29. See also European Commission, supra note 51, 21; Expert Group on European Financial Data Space, supra note 53, 11.

[57] Regulation (EU) 2023/2854 on Harmonized Rules on Fair Access to and Use of Data and Amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act), (2023) OJ L1, Article 9.

[58] European Commission, supra note 46, Articles 5, 9-11.

[59] European Commission, supra note 56, 19.

[60] European Commission, supra note 46, Articles 9 and 10, Recital 25.

[61] European Commission, supra note 56, 55.

[62] European Commission, Proposal for a Regulation on Payment Services, supra note 36, Recital 55; European Commission, supra note 13, 47.

[63] UK Competition and Markets Authority, supra note 11. For further analysis, see Dinçkol, Ozcan, & Zachariadis, supra note 16; Borgogno & Colangelo, supra note 12.

[64] Retail Banking Market Investigation – Final Report, UK Competition and Markets Authority (2016),

[65] Id., §46.

[66] Id., §54.

[67] Id., §65.

[68] Id., §66.

[69] Recommendations for the Next Phase of Open Banking in the UK, UK Joint Regulatory Oversight Committee (2023), available at; Joint Statement by HM Treasury, the CMA, the FCA and the PSR on the Future of Open Banking, UK Government (2022),

[70] European Commission, supra note 13, 195-196.

[71] UK Government, supra note 69. See also, Open Finance – Feedback Statement, Financial Conduct Authority (2021), available at

[72] Competition and Consumer (Consumer Data Right) Rules 2020.

[73] White House, supra note 1.

[74] Consumer Financial Protection Bureau, supra note 2.

[75] Id., §§1033.111 and 1033.211.

[76] Id., §1033.311(c)(1).

[77] Id., §1033.301(c) and §1033.311(c)(2).

[78] Id., 21.

[79] Id., arguing that “[c]omprehensive and detailed technical standards mandated by Federal regulation could not address the full range of technical issues in the open banking system in a manner that keeps pace with changes in the market and technology. A rule with very granular coding and data requirements risks becoming obsolete almost immediately, which means the CFPB and regulated entities would experience constant regulatory amendment, or worse, the rule would lock in 2023 technology, and associated business practices, potentially for decades. In developing the proposal, the CFPB is mindful of these limitations and the risk that they may adversely impact the development and efficient evolution of technical standards over time.”

[80] Id., §§1033.131 and §1033.141.

[81] Awrey & Macey, supra note 23, 20. See also He, Huang, & Zhou, supra note 6, noting that open banking’s core principles do not stop at customer ownership of their own data.

[82] Rohit Chopra, Remarks at Money 20/20 (Oct. 25, 2022),

[83] Press Release, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking, U.S. Consumer Financial Protection Bureau (Oct. 19, 2023),

[84] Consumer Financial Protection Bureau, supra note 2, 7.

[85] Id., 185 and 213.

[86] Id., 187.

[87] Id., 185-186. Notably, the CFPB estimates that there were between 50 billion and 100 billion total consumer-authorized access attempts in 2022.

[88] See Awrey & Macey, supra note 23, 19 and 35-37, arguing that the U “is home to the world’s largest, most fragmented, and most diverse financial services industry.”

[89] About FDX – Our Mission, Financial Data Exchange, (last accessed Jun. 9, 2024).

[90] Consumer Financial Protection Bureau, supra note 2, 9.

[91] Awrey & Macey, supra note 23, 37. See also Consumer Financial Protection Bureau, supra note 2, 16.

[92] Consumer Financial Protection Bureau, supra note 2, 14-15.

[93] European Commission, supra note 46, Recital 7.

[94] European Commission, supra note 13, 14.

[95] Id., 191. See also, A Study on the Application and Impact of Directive (EU) 2015/2366 on Payment Services (PSD2), VVA & CEPS (2023),, estimating that TPPs spent €35 million on problems linked to accessing APIs and €140 million on maintaining legacy systems due to APIs not working properly.

[96] See VVA & CEPS, supra note 95, estimating €2.2 billion in total (one-off) costs for all ASPSPs for setting up of PSD2 APIs.

[97] European Commission, supra note 36, Recital 56; European Commission, supra note 56, Recital 29.

[98] Data Act, supra note 57, Recitals 46 and 47, and Article 9.

[99] Consumer Financial Protection Bureau, supra note 2, §1033.301(c).

[100] See, Review into Open Banking: Giving Customers Choice, Convenience and Confidence, Australian Government (2018), 44,, acknowledging that determining equivalent data for data recipients whose primary business is not financial services can be complex, and therefore recommending that, as part of the accreditation process for non-bank data recipients, the competition regulator should determine what constitutes equivalent data for the purposes of participating in open banking.

[101] Consumer Financial Protection Bureau, supra note 2, §1033.421(a)(2).

[102] Giuseppe Colangelo & Mariateresa Maggiolino, From Fragile to Smart Consumers: Shifting Paradigm for the Digital Era, 35 Comput. Law Secur. Rev. 173 (Apr. 2019).

[103] Consumer Financial Protection Bureau, supra note 2, 21. See also Rohit Chopra, Remarks at the Financial Data Exchange Global Summit, U.S. Consumer Financial Protection Bureau (Mar. 13, 2024),, acknowledging that the EU approach led to fragmented or conflicting standards, which created complications for open-banking implementation and undermined interoperability, but simultaneously arguing that the opposite approach promoted in other jurisdictions to prescribe detailed technical standards for data sharing would not work in the United States.

[104] Consumer Financial Protection Bureau, supra note 2, §1033.131 and 1033.141. But see also Chopra, supra note 103, announcing that, before finalizing the Personal Financial Data Rights rule, the CFPB would “codify” what attributes standard-setting organizations must demonstrate to be recognized under the rule.

[105] Consumer Financial Protection Bureau, supra note 2, 22.

[106] Babina et al., supra note 4; OECD, supra note 7.

Continue reading
Financial Regulation & Corporate Governance

The Effects of Payment-Fee Price Controls on Competition and Consumers

ICLE Issue Brief Executive Summary Payment networks connect buyers with sellers. Success hinges on attracting sufficient participation on both sides of the market. Card issuers offer rewards, insurance, . . .

Executive Summary

Payment networks connect buyers with sellers. Success hinges on attracting sufficient participation on both sides of the market. Card issuers offer rewards, insurance, fraud prevention, and other benefits that create incentives for use. Issuers can do so, in part, because they receive an “interchange” fee from acquiring banks, who in turn charge a fee to merchants (the “merchant discount rate” or MDR).

Price controls on these fees interfere with the delicate balance of the two-sided market ecosystem. Interchange-fee caps in various jurisdictions have led banks to increase other fees (such as monthly account fees and annual card fees), reduce card benefits, and adjust product offerings. As a result, consumers—especially those with lower incomes—face higher costs and reduced access to financial services. These costs generally exceed by a wide margin any consumer savings from reduced prices. Price controls on MDR, seen recently in India and Costa Rica, have also distorted the market by impeding competition and favoring larger players (big-box merchants and internet-platform-service providers, which are able to monetize in other ways), while harming smaller entities and traditional banks.

Instead of imposing price controls, governments should reduce regulatory barriers and provide core public goods, such as courts of law and identity registers, which enable competition, market-driven innovation, and financial inclusion.

I. Introduction

Payment networks are integral to modern economies, facilitating the seamless exchange of goods and services across vast distances and among unfamiliar parties. This issue brief considers the effects of regulatory interventions on such networks, looking in particular at price controls on interchange fees and merchant discount rates (MDRs). While intended to reduce costs for merchants and consumers, the evidence shows these price controls impede competition and harm consumers.

For a payment network to be self-sustaining, there must be sufficient participation on both sides of the market—i.e., by both buyers and sellers. If too few sellers accept a particular form of payment, buyers will have little reason to adopt it. Likewise, if too few buyers hold a particular form of payment, sellers will have little reason to accept it. At the same time, payment networks must cover their costs of operation, including credit risk, monitoring costs, fraud risk, and investments in innovation. Payment networks typically address these two problems (optimizing participation and covering costs) simultaneously through various fees and incentives, thereby maximizing value to all participants.

Maximizing value often entails that one side of the market (usually, the merchants) subsidizes the other side (consumers) through an “interchange fee” received by the issuing bank from the acquiring bank. The interchange fee covers a much wider range of costs than the operational costs mentioned above. Specifically, it typically includes issuer costs associated with collection and default, as well as many of the additional benefits that cardholders typically receive, including various kinds of insurance and such rewards as cashback rewards and airline miles. The interchange fee, in turn, is typically covered by fees charged by the merchant’s acquiring bank (see Figure 1), known as the merchant discount rate (MDR) or merchant service charge (MSC).

FIGURE 1: Transactions in a Four-Party Card Model

Caps on interchange fees and/or MDR are price controls, which have the effect of reducing the incentive to supply the product subject to that control. Many countries have introduced price controls on interchange fees, and these have been much-studied. Section II presents a summary of the evidence of the effects of price controls on interchange fees.

By contrast, relatively few countries have imposed price controls on MDR and the effects of such price controls have rarely been scrutinized.[1] Section III thus offers an initial assessment of such effects. Finally, Section IV offers conclusions and policy recommendations.

II. Interchange-Fee Price Controls

This section considers the effects of price controls on interchange fees. While more than 30 jurisdictions have imposed such price controls, we focus on the jurisdictions for which we have the best evidence.[2] While each jurisdiction and each price control is unique, the effects appear  to generalize readily. Therefore, the limited selection of jurisdictions here should be seen as typical examples.

This section begins with a brief description of the specific form price controls took in each jurisdiction. That is followed by a description of the response by (issuing) banks. Finally, the effects on consumers are evaluated.

A. How Jurisdictions Have Capped Interchange Fees

Various jurisdictions have taken a variety of approaches to the imposition of price controls on interchange fees. The following are examples of some of the better-studied interventions.[3] These examples show what happens in the period immediately following the introduction of interchange-fee price controls. While some price controls have been repealed or changed, their effects are most transparent in the immediate aftermath of their implementation, and the inclusion of these examples thus remains instructive.

1. Spain

Spain imposed caps on interchange fees for both credit and debit cards through agreements with merchant associations and card schemes in two distinct phases: the first ran from 1999 to 2003, the second from 2006 to 2010.[4] During the first phase, caps were initially set at 3.5%, falling to 2.75% in July 2002. Caps were much lower during the second phase and were lower for large banks (over €500 million), whose credit-card interchange fees were capped at 0.66% in 2006, falling to 0.45% by 2010, than for small banks (under €100 million), whose credit-card interchange fees were capped at 1.4% in 2006, falling to 0.79% in 2010.

2. Australia

The Reserve Bank of Australia (RBA) introduced caps on interchange fees for credit cards in 2003 under a “cost-based framework,” which adjusted interchange fees based on processing costs. As a result, the RBA aimed in the first instance to reduce interchange fees by 40%, from an average of 0.95% in 2002 to 0.6% in 2003.[5]

3. United States

Under a provision of the Dodd-Frank Wall Street Reform Act of 2010 known commonly as the “Durbin amendment,” the U.S. Federal Reserve imposed caps on debit-card interchange fees for large banks, as well as routing requirements for all debit-card issuers.[6] As a result, debit-card-interchange fees fell by about 50% for large banks almost immediately. Interchange fees on debit cards issued by smaller banks and credit unions initially fell by a smaller amount, and interchange fees on single-message (PIN) debit cards have now fallen to similar levels as PIN debit cards issued by larger banks.[7]

4. European Union

In 2015, the EU capped fees at 0.2% for debit cards and 0.3% for credit cards.[8] These are hard caps with few exceptions, and those rates rapidly became the norm for most transactions (with the exception of some domestic schemes that offer lower rates).[9]

B. Response by Banks

Faced with potentially large losses of revenue, banks adopted numerous strategies to limit their losses, including, most notably:

1. Increasing other fees and interest

Banks commonly increased other fees, including annual-card fees, account-maintenance fees, late fees, and interest on loans and credit cards. For example, in the United States, banks raised monthly account-maintenance fees and increased the minimum balance needed for a fee-free account.[10] In the EU, banks increased other fees and interest rates.[11]

2. Reduced card benefits

Banks reduced the rewards and benefits associated with those cards that were subject to price controls. This included reducing or eliminating cashback rewards, points, and other incentives that were previously funded, in part, by interchange fees. For example, U.S. banks subject to the Durbin amendment generally eliminated debit-card rewards. In Australia, meanwhile, the average value of rewards fell by about 30%.[12]

3. Adjusted product offerings

Some banks shifted their focus to products not affected by the caps. In the United States, where the Durbin amendment applied only to debit cards, banks shifted their promotional efforts toward credit cards. In Australia, banks issued “companion” cards on three-party networks that were initially exempt. In some EU jurisdictions, banks have promoted business credit cards, which are exempt.[13]

C. The Effects on Consumers

Interchange-fee caps make the vast majority of consumers worse off, especially those with lower incomes. This outcome primarily arises from several interconnected factors:

1. Higher costs

As noted, in response to the reduction in interchange fees, banks have increased a range of fees, including higher account-maintenance charges (and higher minimum-balance requirements to qualify for free accounts); larger overdraft fees; increased interest rates on loans and credit cards; and higher annual fees on credit cards. These increased fees have disproportionately affected lower-income consumers, who may struggle more to maintain minimum-balance requirements or avoid overdrafts.[14]

2. Loss of insurance, other services, and the financial benefits of rewards

The reductions in rewards and other benefits on cards subject to interchange-fee caps amount to a direct pecuniary loss for millions of consumers. Often, these losses far exceed the reduction in interchange fees that cause them. A case in point is insurance: credit-card-issuing banks are typically able to negotiate volume-based discounts on insurance, which means they pay less than would an individual seeking his or her own policy. But if there simply is not sufficient revenue to cover the continuation of such benefits, issuers are forced to withdraw it, as many issuers in the EU have done.

3. Lost access to financial services

Larger account fees and increased minimum-balance requirements have resulted in an increase in unbanked and underbanked households in the United States, particularly among lower-income consumers.[15] As a result, more households have become reliant on check-cashing services, payday loans, and other high-cost financial services.

4. Limited savings passed through to consumers

While larger merchants save on transaction fees, due to the lower interchange fees, these savings are not fully passed on to consumers in the form of lower prices. The degree of pass-through can vary greatly, depending on the competitive dynamics of various retail sectors. But in most cases, merchants have passed through the reduced costs associated with lower interchange fees at a lower rate than banks have passed through losses in fee revenue, in the form of higher-priced accounts, cards and services, and reductions in rewards. As such, consumers are, on net, worse off.[16]

While the intended goal of interchange-fee caps may be to reduce merchants’ costs and generate savings for consumers, in practice, consumers see few, if any, retail-price reductions, even as they experience significantly reduced benefits from their payment cards, as well as increased banking costs.


This section explores the effects of caps on merchant discount rates. As noted earlier, it is difficult to draw broad conclusions of the kind we were able to draw in Section II on the effects of interchange-fee caps. This is both because of the relative rarity of MDR caps, as well as the fact that they have—in the two cases examined here—coincided with other policy changes and broader economic and social phenomena that simultaneously have had significant effects on the payments system. The two case studies nonetheless offer salutary lessons about the problems inherent in imposing price controls on payment fees.

A. India

India’s MDR caps, which date back to 2012, were put in place as part of a series of interventions whose broad objective was to increase access to finance and shift transactions from paper to electronic money. These initiatives included (in order of implementation): a digital ID (launched in 2010); a domestic-card scheme and debit card (RuPay) with MDR caps (implemented in 2012); and a domestic faster-payments system (UPI, launched in 2016) with zero MDR for most transactions. This section focuses primarily on the implementation of UPI, its MDR caps, and the implications for consumers, merchants, and payment-service providers.

1.  Mobile payments in India and the role of MDR

Until 2015, the two largest companies offering mobile phone-based payment services in India were Paytm and MobiKwik, which both relied on MDR to facilitate their expansion. MDR enabled these services to offer consumers cashback rewards and other incentives. MobiKwik signed up 1.5 million merchants and 55 million registered users by 2015,[17] while Paytm had 100 million registered accounts in 2015.[18]

Payment services are the core of Paytm’s business, contributing 58% of its revenue in Q3 2023 (although it fell slightly in Q1 2024).[19] These services arise from users making payments from mobile wallets stored on Paytm’s platform, using debit cards and credit cards. The company charges merchants an MDR that ranges from 0.4% to 2.99% of the transaction amount, depending on the payment type (for small-to-medium-size businesses).[20] MobiKwik, meanwhile, generates revenue from commissions and advertisements from its Zaak payment-gateway franchise subsidiary,[21] as well as loans—including short-term credit, buy-now-pay-later, and personal loans—and investment advice.[22] Of note, Zaak is also highly reliant on MDR as a source of revenue.[23]

2. Enter UPI

In 2016, the National Payments Corporation of India (NPCI), a public-private partnership between the Reserve Bank of India (RBI) and the Indian Banks Association (IBA), launched the Unified Payment Interface (UPI), an open-source interoperable API that facilitates real-time transfers between individuals with accounts at participating banks that have integrated the API into their smartphone apps.[24] NPCI also built its own app, BHIM UPI, that is available directly and can also be white-labelled by banks and PSPs.[25]

By any measure, UPI has been enormously successful. In April 2024, more than 80% of all retail payments by volume and about 30% by value were made using UPI.[26]

PhonePe, which launched in 2016, and Google Pay, which launched in India in 2017, have from the outset operated exclusively on UPI. PhonePe launched as a wholly owned subsidiary of Flipkart, India’s largest online marketplace. This enabled it to leverage the marketplace’s then-100 million users, as well as subsequent growth of Flipkart’s user base.[27] Although PhonePe has now separated from Flipkart, it is still owned by Walmart, which bought Flipkart in 2018, and is thus able to leverage the retail giant’s merchant ecosystem.

Google, meanwhile, was able to leverage its brand recognition and to monetize Google Pay through a combination of advertising and its local online marketplace. It is noteworthy that, in a 2023 survey, Google was ranked the top brand in India, followed by Amazon and YouTube (which is owned by Google).[28]

PhonePe is now the largest payment network in India, with approximately 200 million active users; Paytm ranks second, with approximately 100 million active users;[29] Google Pay is third, with about 67 million active users;[30] and MobiKwik is fourth, with 35 million active monthly users in 2023.[31]

In April 2024, PhonePe and Google Pay together represented 87% of UPI transactions by volume and value (Table 1). Paytm was the third-largest payment app on UPI, representing 8% of transactions and 6% of value. The fourth-largest app was CRED, which is a members-only app aimed at individuals with higher credit scores.[32] Together, these top four apps represented 96.5% of transaction volume and 95.5% of transaction value. The remaining apps combined all had less than 5% market share between them, and none had more than 1% individually.[33]

TABLE 1: UPI Transactions by App, April 2024


Since UPI transactions represented about 80% of India’s retail volume, this means that the combination of Google Pay and PhonePe represented more than 70% of all non-cash retail transactions in India by volume.

3. How zero MDR distorts competition

The reason such as high proportion of UPI payments come from the top four apps is that their operators have been able to monetize transactions and encourage adoption on both sides of the market without relying on MDR. NPCI prohibits MDR for most applications (exceptions are pre-paid debit and rechargeable mobile wallets, which since April 2023 have been permitted to charge up to 1.1% in MDR).[34]

These MDR caps on UPI have, however, made it less economically viable for payment-services providers (PSPs) to offer such incentives for consumers. Indeed, Paytm has recently switched from offering cashback rewards to consumers to offering cashback rewards to merchants—presumably because it realizes it has to compete with other payments ecosystems that run on UPI and therefore charge zero MDR.[35]

Like the interchange-fee caps explored in Section II, MDR caps change the economics of payment systems by reducing the ability of card issuers and payment-app operators to balance the two sides of the market through cross-subsidies. These effects became most visible after UPI went live in 2016 with zero MDR.

As noted, both PhonePe and Google Pay were able to leverage existing networks to attract both merchants and users (Flipkart, in the case of PhonePe, and Google’s search engine and other products, in the case of Google Pay). Having built a significant base of participants on both sides of the market, the companies have been able to monetize their payment systems through product advertising, upselling of related products, and in-app transactions, thereby reinforcing the network effects.

While MDR is prohibited on UPI, PhonePe usually charges a 2% transaction fee for its online-payment gateway service. Acting as a payment gateway carries little counterparty or credit risk, and is typically offered in other jurisdictions for a small flat fee. The 2% charged by PhonePe therefore effectively goes straight to the bottom line, or can be used to cross-subsidize participation, thereby further enhancing the PSPs’ market share. Indeed, in July 2023, PhonePe began offering its payment gateway for free to new customers (an own-side subsidy: existing users subsidize new users).[36]

Google Pay, meanwhile, has offered cashback incentives for use of the service on apps within its own (Android) ecosystem.[37] This encourages the use of Google Pay in much the same way that traditional rewards offer incentives to use other payment systems. The merchant beneficiaries are, however, limited to participants in its app system, for which Google charges a 30% transaction fee.

While Paytm’s share of UPI is low compared to PhonePe and Google Pay, it can monetize such transactions both by providing add-on financial services, such as insurance and investments, as well as through the MDR it charges on non-UPI transactions.[38] Paytm has also built a rewards program for merchants that encourages participation in its marketplace.[39]

Finally, CRED has partnered with a range of high-end brands to undertake targeted advertising, the revenue from which enables CRED to offer rewards to users of various kinds, including cashback rewards.[40]

While UPI has likely contributed to increased financial inclusion, the prohibition on MDR for most types of transactions has distorted the entire market toward merchants affiliated with the large mobile-payment ecosystems (PhonePe, Google, and Paytm) and a payment network targeted at higher-income customers (CRED). Meanwhile, this has come at a huge price for the majority of banks and other PSPs that facilitate payments on UPI. The Payments Council of India estimates that its members lose 55 billion rupees (US$660 million) annually as a result of the zero MDR on UPI and RuPay transactions.[41] This is effectively a transfer from those banks to the companies whose apps monetize UPI transactions.

India’s government partly offsets this loss through a subsidy to UPI participants of between 15 and 25 billion rupees.[42] But this amounts to a subsidy to PhonePe, Google, Paytm, and CRED, which is odd. Moreover, experience with other systems that impose restrictions on payment-transaction fees suggests that banks will seek to recover these losses via other fees.[43] To the extent that such additional fees fall on lower-income account holders, the effect on financial inclusion is likely to be negative.

India’s government has also announced that it intends to cap the share of UPI transactions for any one service provider to 30% by the end of 2024, with the goal of reducing the dominance of Google Pay and PhonePe.[44] It remains unclear how such caps will be implemented, but it is almost certain that whatever mechanism is adopted would cause other harmful effects. Indeed, there is something slightly absurd about introducing a cap on participation in order to address the perverse consequences of caps on MDR.

Given that the MDR caps are the cause of Google Pay and PhonePe’s combined dominance, a far better solution would be to lift those caps. Indeed, based on the evidence adduced here, removing the MDR caps would likely unleash competition and innovation. Instead of being dominated by a few giant players, UPI would become what its visionaries intended: an inclusive platform that facilitates participation by a wide range of players. The platform could then further expand access to payments, enhance smaller merchants’ ability to compete, and improve financial inclusion.

B. Costa Rica

Costa Rica introduced price controls on payment cards in 2020. Legislative Decree No. 9831 authorized the Central Bank of Costa Rice (BCCR) to regulate fees charged by service providers on “the processing of transactions that use payment devices and the operation of the card system.”[45] The legislation’s stated objective was “to promote its efficiency and security, and guarantee the lowest possible cost for affiliates.” BCCR was tasked with issuing regulations that would ensure the rule is “in the public interest” and guarantee that fees charged to “affiliates” (i.e., merchants) are “the lowest possible … following international best practices.”

Starting Nov. 24, 2020, BCCR set maximum interchange fees for domestic cards at 2.00% and maximum MDR at 2.50%. Over a four-year period, BCCR has gradually ratcheted down both MDR and interchange-fee caps, as shown in Table 2.

TABLE 2: Interchange Fee and MDR Caps in Costa Rica, 2020-2024

An unusual feature of BCCR’s regulation is the simultaneous cap on both MDR and interchange fees, which has the effect of limiting revenue to both acquiring banks and issuing banks. This has likely reduced investments by issuers and acquirers and led to lower levels of system efficiency and speed, and possibly to increased fraud.

It is also worth noting that both interchange fees and MDR vary according to merchant type and location, in large part because the risk of fraud varies among different types of merchants. There is a danger, therefore, that imposing price controls on both MDR and interchange fees could make it unprofitable for acquirers to process payments for some riskier merchants. In other words, in its attempt to reduce merchant costs, BCCR may inadvertently (but predictably) prohibit some merchants from being able to accept payment cards. This is neither efficient, nor is it in the public interest.

Looking at the trajectory of the mean and median MDRs for various merchant categories in Costa Rica before price controls were imposed (as shown in Figures 1 and 2), MDRs were, on average, quite high (a mean of about 4%) but the medians were even higher (ranging from 4% to 10% for all categories except gas stations and passenger transportation). This significant difference between the mean and median MDRs suggests either that a large proportion of merchants represented a particularly high risk (e.g., from fraud and/or chargebacks) or that there was a lack of competition among acquiring banks (and perhaps even collusion)—or perhaps both.

FIGURE 2: Mean MDR for Various Merchants in Costa Rica, 2019-2022 (%)

SOURCE: Author’s calculations based on data from BCCR

If the previously high MDRs were a function of merchant-associated risk, capping MDRs would be expected to cause acquiring banks to drop some merchants. The data, however, show that the number of merchants increased from 2020 to 2022, which suggests that lack of competition among acquirers is a more likely explanation.[46]

FIGURE 2: Median MDR for Various Merchants in Costa Rica, 2019-2022 (%)

SOURCE: Author’s calculations based on data from BCCR

To the extent that these high MDRs reflect a lack of competition among acquiring banks, the appropriate response would have been to seek to understand what was causing this lack of competition and then to remedy that directly. For example, if the lack of competition arose from regulations imposed by BCCR, it would be incumbent on BCCR to modify its regulations to reduce barriers to competition. Capping MDR does not address the underlying problem; indeed, it likely makes it worse, by inhibiting acquirers from being able to differentiate themselves on price or quality.

IV. Conclusions and Policy Implications

In competitive markets without price controls, prices evolve in ways that tend to maximize value for all participants. In payment networks, interchange fees play an important role, enabling issuers to develop appealing and competitive products with features that range from cashback rewards to travel insurance. This encourages customers to use the card or app in question, which, in turn, benefits merchants who see greater sales. The fees also facilitate associated innovations, such as AI-based fraud detection, contactless payments, and online token vaults.

When governments impose price controls on payment fees—whether in the form of caps on interchange fees or on MDR, or both—bank revenue from card transactions falls. Issuers (and acquirers, in the case of MDR caps) respond by increasing other fees, reducing card benefits, and reducing investments in improvements. The ecosystem becomes distorted, unbalanced, and fundamentally less competitive.

The beneficiaries of such interventions tend to be larger merchants and other participants in the system (including larger financial technology, or “fintech,” players). These players can leverage and reinforce their loyal customer base, and often charge fees for services (such as payment gateways) that are as high or higher than interchange fees, and even MDR.

India’s government recognizes the anticompetitive nature of its MDR caps, but appears to think that this is best-addressed by introducing new caps on participation. Costa Rica, meanwhile, appears to have suffered from a lack of competition among merchant acquirers, which drove up the cost of MDR—leading it to introduce caps on MDR.

But, in both cases, regulation is the problem, not the solution. In India’s case, various regulations—especially the caps on MDR for UPI transactions, as well as the government subsidies to UPI—have resulted in heavy concentration and impeded competition from fintech startups. Meanwhile, in Costa Rica, existing regulatory barriers likely impeded competition in the acquisition market, which enabled acquirers to charge excessive rates. This has prompted BCCR to impose MDR and interchange-fee caps that, in turn, have impeded competition in issuance.

The biggest losers from such interventions tend to be lower-income consumers, who end up paying higher bank fees and leaving—or not entering—the banking system. But there are many other losers, including the majority of consumers, and the many potential competitors that are excluded from participation because they are unable to monetize their investments via interchange and/or MDR fees.

Governments should not distort markets in these ways. Quite the opposite: they should be as neutral as possible. Rather than imposing price controls on payment systems, they might look to review and repeal existing government-created barriers to financial inclusion. These could include licensing requirements for banks that limit competition and enable acquirers to charge abnormal MDR rates.

In other words, rather than layer additional distorting regulations atop existing regulations, further harming the operation of complex private-market ecosystems, they should look for ways to reduce government-imposed barriers to competition. And, generally, they should limit themselves to the production of genuine public goods, such as courts and identity registers. Doing so will enable greater participation, competition, and innovation, which will drive financial inclusion.

[1] Other jurisdictions, such as Denmark and China, also have imposed restrictions on MDR/MSC, but this author was unable to adduce sufficient information about the nature and effects of these interventions to develop substantive analyses.

[2] We draw extensively on our earlier review: Julian Morris, Todd J. Zywicki, & Geoffrey A. Manne, The Effects of Price Controls on Payment-Card Interchange Fees: A Review and Update,  (ICLE White Paper 2022-03-04 & George Mason L. & Econ. Research Paper No. 22-07, 2022), See also Fumiko Hayashi & Jesse Leigh Maniff, Public Authority Involvement in Payment Card Markets: Various Countries, August 2020 Update, Fed. Res. Bank of Kan. City (August 2020), available at

[3] Morris et al., supra note 2.

[4] Juan Iranzo, Pascual Fernández, Gustavo Matías, & Manuel Delgado, The Effects of the Mandatory Decrease of Interchange Fees in Spain (Munich Personal RePEc Archive, MPRA Working Paper No. 43097, 2012), available at

[5] Press Release, Reform of Credit Card Schemes in Australia, Res. Bank of Austl. (Aug. 27, 2002),

[6] H.R.4173 – Dodd-Frank Wall Street Reform and Consumer Protection Act, s.1075(a)(3); Debit Card Interchange Fees and Routing; Final Rule, 76 Fed. Reg. 43,393-43,475, (Jul. 20, 2011).

[7] Todd J. Zywicki, Geoffrey A. Manne, & Julian Morris, Unreasonable and Disproportionate: How the Durbin Amendment Harms Poorer Americans and Small Businesses, Int’l Cntr For L. & Econ. (Apr. 25, 2017), available at

[8] Regulation (EU) 2015/751 of the European Parliament and of the Council of 29 April 2015 on Interchange Fees for Card-Based Payment Transactions, 2015, O.J. (L 123) 1, 10-11 (hereinafter “IFR”).

[9] Ferdinand Pavel et al., Study on the Application of the Interchange Fee Regulation: Final Report 89, European Commission Directorate-General for Competition (2020),

[10] Mark D. Manuszak & Krzysztof Wozniak, The Impact of Price Controls in Two-Sided Markets: Evidence From US Debit Card Interchange Fee Regulation (Bd. of Governors of the Fed. Res. Sys. Fin. & Econ. Discussion Series, Working Paper No. 2017-074,  2017); Vladimir Mukharlyamov & Natasha Sarin, Price Regulation in Two-Sided Markets: Empirical Evidence From Debit Cards (SSRN Working Paper, 2019),

[11] Interchange Fee Regulation (IFR) Impact Study Report, Edgar Dunn & Co. (Jan. 21, 2020),

[12] Iris Chan, Sophia Chong, & Stephen Mitchell, The Personal Credit Card Market in Australia: Pricing Over the Past Decade, Res. Bank Of Austl. Bull. (2012), available at

[13] IFR, supra note 8, Art. 1(3)(a).

[14] Mukharlyamov & Sarin, supra note 10.

[15] Id.

[16] Iranzo et al., supra note 4 at 34-37; Ian Lee, Geoffrey A. Manne, Julian Morris, & Todd J. Zywicki, Credit Where It’s Due: How Payment Cards Benefit Canadian Merchants and Consumers, and How Regulation Can Harm Them, Macdonald-Laurier Institute 1, 27 (2013); Morris, Zywicki, & Manne, supra note 7 at 23-29.

[17] Shabana Hussain, MobiKwik’s Journey and the Path Ahead, Forbes India (Apr. 6, 2015), .

[18] Paytm Reaches 100 Million Users, Business World (Aug. 11, 2015),–84698.

[19] Press Release, Paytm’s Earning’s Release for Quarter and Year Ending March 2024, Paytm (May 22, 2024), available at

[20] Paytm’s Pricing, Paytm, (last visited Jun. 07, 2024).

[21] MobiKwik Consolidated Financial Statement, MobiKwik (2023), available at; Report on the Audit of Special Purpose Interim Financial Statements, Tattvam & Co. (Dec. 31, 2023), available at; Subsidiary Financials, MobiKwik, (last visited Jun. 7, 2024); Status of Applications Received from Online Payment Aggregators (PAs) Under Payment and Settlement Systems Act, 2007, Res. Bank of India, (last updated Jun. 1, 2024).

[22] Id., Res. Bank of India.

[23] Pratik Bhakta, MobiKwik to Add Muscle to Its Payment Gateway Business, The Economic Times (May 13, 2017),

[24] Unified Payments Interface (UPI), National Payments Corporation of India (2024),; UPI Live Members, National Payments Corporation of India (2024),

[25] BHIM, (last visited Jun. 7, 2024); Pratik Bhakta, BHIM to Be the Right Platform for Small Banks to Enter Payment Space, The Economic Times (Feb. 3, 2017),

[26] Payment System Indicators, Res. Bank of India (Apr. 2024),

[27] Alnoor Peermohamed, Flipkart Grows User Base to 100 million, Business Standard (Jun. 6, 2024),

[28] Gaurav Laghate, Google, Amazon, YouTube Top India brands, Livemint (Jun. 27, 2023),

[29] Paytm Surpasses 100 Million Monthly Transacting Users for the First Time in Q3 FY24, Livemint (Jan. 22, 2024),

[30] Michael G. William, How Many People Use Google Pay in 2023?, Watcher Guru (Sep. 14, 2023),

[31] MobiKwik Continues Profitable Streak for Second Quarter in a Row, The Economic Times (Oct. 05, 2023),

[32] CRED, (last visited Jun. 07, 2024).

[33] Eight other apps had between 0.25% and 0.75% of transaction volume and/or value: Amazon Pay, ICICI Bank Apps, Fampay, Kotak Mahindra Bank Apps, HDFC Bank Apps, WhatsApp, BHIM, and Yes Bank Apps.

[34] Upasana Taku, NPCI’s 1.1% Interchange Fee on UPI Payments Via Wallet – The Watershed Moment for Fintech in India, The Times of India (May 15, 2023),

[35] Pratik Bhakta, Inside Paytm’s Cashback Offers for Retailers, The Economic Times (Jul. 7, 2023),

[36] Mayur Shetty, PhonePe Cuts Fees for Payment Gateway Services, The Times of India (Jun. 14, 2023),

[37] Manish Singh, Google’s New Plan to Push Google Pay in India: Cashback Incentives in Android Apps, TechCrunch (May 16, 2019),

[38] Paytm, supra note 20.

[39] An Overview of Merchant Discount Rate Charges, AMLegals (Mar. 15, 2024),

[40] CRED Pay, (last visited Jun. 7, 2024).

[41] Roll Back Zero Merchant Discount Rate on UPI, Rupay Debit Card Payments, Industry Body Payments Council of India Writes to Finance Ministry, The Indian Express (Jan. 23, 2022),

[42] Pratik Bhakta, Fintechs Await Government Word on MDR Subsidy Allocation, The Economic Times (Feb. 22, 2024),

[43] Morris et al., supra note 2.

[44] Ajinkya Kawale,  NPCI to Review by End of Year Decision on 30% UPI Market Share Cap, Business Standard (Apr. 19, 2024),

[45] Author’s translations from the Spanish original are approximate.

[46] Fijación Ordinaria de Comisiones Máximas del Sistema de Tarjetas de Pago, Banco Centrale de Costa Rica (Oct. 2023), 12, available at

Continue reading
Financial Regulation & Corporate Governance

Vullo and the Dangers of Government Coercion Over Speech

TOTM The U.S. Supreme Court delivered a major victory for free speech and struck a blow against government censorship-by-proxy yesterday in NRA v. Vullo: “Government officials cannot . . .

The U.S. Supreme Court delivered a major victory for free speech and struck a blow against government censorship-by-proxy yesterday in NRA v. Vullo: “Government officials cannot attempt to coerce private parties in order to punish or suppress views that the government disfavors.”

This is a major decision, and will have implications for free speech online, as the Court must soon consider similar facts in the social-media context in Murthy v. Missouri. But the case also illustrates the dangers that can attend government officials using even valid regulatory authority to strongarm private entities into doing things in ways they couldn’t do directly.

The Court’s unanimous opinion gets it right: “[A] government official cannot do indirectly what she is barred from doing directly… [she] cannot coerce a private party to punish or suppress disfavored speech on her behalf.”

Read the full piece here.

Continue reading
Financial Regulation & Corporate Governance

The Whac-A-Mole Game: An Empirical Analysis of the Regulation of Litigant Third Party Financing

Scholarship Abstract Using a unique private dataset from one of the largest consumer litigation financing firms in the U.S., we are the first to explore the . . .


Using a unique private dataset from one of the largest consumer litigation financing firms in the U.S., we are the first to explore the impact of states’ regulatory activity (statutory or judicial) on funders’ behavior and consumers’ welfare. Our comprehensive dataset includes data on over 105,000 third party funding agreements from 2000 throughout 2020 and data we compiled ourselves from court decisions, state legislation, and regulatory actions.

Read at SSRN.

Continue reading
Financial Regulation & Corporate Governance

The Supreme Court’s Restoration of Executive Prerogative

Popular Media In its brief history, the Consumer Financial Protection Bureau (CFPB) has been the subject of three of the most important separation of powers cases in . . .

In its brief history, the Consumer Financial Protection Bureau (CFPB) has been the subject of three of the most important separation of powers cases in the last half century. In the first two cases, NLRB v. Noel Canning (2014), which addressed the recess appointment power of the President, and Seila Law LLC v. Consumer Financial Protection Bureau (2020), which dealt with the authority of the President to remove a sitting head of a single-member independent agency, the Supreme Court sided with the challengers.

Continue reading
Financial Regulation & Corporate Governance

Measuring the Openness of AI Foundation Models: Competition and Policy Implications

Scholarship Abstract This paper presents the first comprehensive evaluation of AI foundation model licenses as drivers of innovation commons. It introduces a novel methodology for assessing . . .


This paper presents the first comprehensive evaluation of AI foundation model licenses as drivers of innovation commons. It introduces a novel methodology for assessing the openness of AI foundation models and applies this approach across prominent models such as OpenAI’s GPT-4, Meta’s Llama 3, Google’s Gemini, Mistral’s 8x7B, and MidJourney’s V6. The results yield practical policy recommendations and focal points for competition agencies.

Read at SSRN.


Continue reading
Innovation & the New Economy

Do We Need a ‘New Strategy Paradigm’? No

Scholarship Abstract Bansal et al.’s Point piece, “Strategy’s Ecological Fallacy: How strategy scholars have contributed to the ecological crisis and what we can do about it,” . . .


Bansal et al.’s Point piece, “Strategy’s Ecological Fallacy: How strategy scholars have contributed to the ecological crisis and what we can do about it,” calls for reforming the strategy field to focus on the natural environment, ecological cycles, and interconnections across natural and social levels, in service of value creation for ‘a defined ecosystem that comprises respect for the natural environment’. We doubt that such new foundations are necessary or useful. We argue that Bansal et al. misconstrue the evolution and content of strategy thinking; downplay the usefulness of existing tools for dealing with their issues of concern; overlook problems of measurement, collective action, government failure, and cronyism encouraged by their preferred policies; embrace an unnecessarily alarmist worldview; and underappreciate the social benefits of the market-based institutions they criticize. We suggest instead that a market system based on clearly delineated property rights, prices that freely adjust to reflect scarcities, and an institutional environment that encourages entrepreneurship and innovation remains an underappreciated instrument for protection of the natural environment, one that is superior to centralized and regulatory alternatives.

Continue reading
Financial Regulation & Corporate Governance

Rural Renting: An Empirical Portrait of Eviction

Scholarship Abstract In this paper, we examine eviction from the renter’s perspective. Specifically, we seek to understand what factors influence the eviction process—and the likelihood that . . .


In this paper, we examine eviction from the renter’s perspective. Specifically, we seek to understand what factors influence the eviction process—and the likelihood that it will result in a judgment against a renter—once a property owner initiates legal proceedings. To this end, we used records from 202,572 eviction cases filed by landlords in Kentucky courts. We employed statistical modeling to determine what impacted whether those cases ultimately ended in a judgment of eviction against a renter.

Many of our findings were novel, and they were staggering. We found that, holding all else equal, those living in rural areas were more than 55 percent more likely to experience a judgment of eviction just by virtue of where they lived. We also found that those living in jurisdictions that had adopted renter-friendly policies (URLTA) were more likely to avoid a judgment of eviction—even though these laws do not impact the eviction process itself. Additionally, we found that renters who lived in the same ZIP code and/or state as their landlord were significantly more likely to resolve their case prior to judgment.

Collectively, these findings, and others, have implications for eviction policy. They suggest that we must pay more attention to rural courts and the factors that lead to disparate outcomes in them. They call for programs that encourage collaboration between property owners and home renters, such as mediation and other types of eviction diversion. These results also must lead to further study of the time period between when an eviction case is filed and when it is concluded to more fully understand how the various parties approach decision-making with this legal process. Throughout it all, the needs and voices of rural renters must be a part of the ongoing conversation.

Read at SSRN.


Continue reading
Financial Regulation & Corporate Governance

Consumer Privacy, Information Sharing, and Consumer Finance: Tradeoffs and Opportunities

Scholarship Abstract Concerns over the ownership, use, security, and flows of consumer data information are not new. Yet the dominance of the Internet and electronic payments . . .


Concerns over the ownership, use, security, and flows of consumer data information are not new. Yet the dominance of the Internet and electronic payments has elevated such concerns to a high level. Traditionally there was perceived to be a tradeoff between the flow of information necessary for the consumer financial system to work well (such as to solve information asymmetries necessary in order to make credit-granting decisions) and consumer control over their data and keeping their information private. Data security approaches historically pursued a state “fortress” model that rested on the ability of consumers to keep private a small amount of information the consumer uniquely knew, such as a PIN or password.

Today, however, it is becoming apparent that this static model is no longer viable and can be expected to grow less viable with the growth of artificial intelligence and machine-learning. But such approaches have costs as well—not only are they often more cumbersome, when the fortress walls are breached these systems can be slower to adapt and can result in increased harm to consumers on the back end. Some people have suggested that we respond to these emergent threats by trying to build taller and thicker fortress walls and other static, such as the use of biometric identification. The approach suggested here, by contrast, attempts to model what a more dynamic approach to information security would look like and how such a system would be dependent on more data flows rather than less. I suggest some areas of current and proposed regulation that should be reexamined in light of the analysis presented here.

Read at SSRN.

Continue reading
Data Security & Privacy